Another Word For It Patrick Durusau on Topic Maps and Semantic Diversity

How To Encrypt Your USB Drive to Protect Data by Mohit Kumar.

From the post:

The USB flash drives or memory sticks are an excellent way to store and carry data and applications for access on any system you come across. With storage spaces already reaching 256 gigabytes, nowadays USB drives are often larger than past’s hard drives.

Thanks to increased storage capacity and low prices, you can easily store all your personal data on a tiny, easy-to-carry, USB memory stick.

The USB drive is a device that is used by almost everyone today. However, there’s a downside…

I think you’ll agree with me when I say:

USB sticks are easily lost or stolen.

Aren’t they?

However, in today’s post I am going to show you how to use your USB drives without fear of being misplaced.

If you are not aware, the leading cause of data breaches for the past few years has been the loss or theft of laptops and USB storage devices.

However, USB flash memory sticks are generally treated with far less care than laptops, and criminals seeking for corporate devices could cost your company a million dollars loss by stealing just a $12 USB drive.

By throwing light on the threats of USB drives, I’m not saying that you should never use a USB memory drives. Rather…

…I’ll introduce you a way to use your tiny data storage devices securely.

Losing USB flash drives wouldn’t be so concerning if the criminals were not granted immediate access to sensitive data stored in it.

Instead of relying merely on passwords, it’s essential for businesses to safeguard their data by encrypting the device.
…

Mohit gives great introduction to cryptsetup and its use with an Ubuntu system.

Except for one thing…in the image of creating a password, I only count seventeen (17) obscured characters. And there is no advice on how long your password/passphrase needs to be.

You may remember that the Office of Personnel Management had privileged users with passwords shorter than their own documented minimum (near the end of the post). Bad Joss!

The FAQ on cryptsetup has great advice that I will summarize and then you can read the details if you are interested.

Summary:

Ordinary:

Plain dm-crypt: Use > 80 bit. That is e.g. 17 random chars from a-z or a random English sentence of > 135 characters length.

LUKS: Use > 65 bit. That is e.g. 14 random chars from a-z or a random English sentence of > 108 characters length.

Paranoid:

Plain dm-crypt: Use > 100 bit. That is e.g. 21 random chars from a-z or a random English sentence of > 167 characters length.

LUKS: Use > 85 bit. That is e.g. 18 random chars from a-z or a random English sentence of > 140 characters length.

BTW, you were going to tell me about your minimum of eight (8) characters for a password? Feel as secure as before you started reading this post?

The fuller explanation from the cryptsetup FAQ:

5.1 How long is a secure passphrase ?

This is just the short answer. For more info and explanation of some of the terms used in this item, read the rest of Section 5. The actual recommendation is at the end of this item.

First, passphrase length is not really the right measure, passphrase entropy is. For example, a random lowercase letter (a-z) gives you 4.7 bit of entropy, one element of a-z0-9 gives you 5.2 bits of entropy, an element of a-zA-Z0-9 gives you 5.9 bits and a-zA-Z0-9!@#$%^&:-+ gives you 6.2 bits. On the other hand, a random English word only gives you 0.6…1.3 bits of entropy per character. Using sentences that make sense gives lower entropy, series of random words gives higher entropy. Do not use sentences that can be tied to you or found on your computer. This type of attack is done routinely today.

That said, it does not matter too much what scheme you use, but it does matter how much entropy your passphrase contains, because an attacker has to try on average

      1/2 * 2^(bits of entropy in passphrase)

different passphrases to guess correctly.

Historically, estimations tended to use computing time estimates, but more modern approaches try to estimate cost of guessing a passphrase.

As an example, I will try to get an estimate from the numbers in http://it.slashdot.org/story/12/12/05/0623215/new-25-gpu-monster-devours-strong-passwords-in-minutes More references can be found a the end of this document. Note that these are estimates from the defender side, so assuming something is easier than it actually is is fine. An attacker may still have vastly higher cost than estimated here.

LUKS uses SHA1 for hashing per default. The claim in the reference is 63 billion tries/second for SHA1. We will leave aside the check whether a try actually decrypts a key-slot. Now, the machine has 25 GPUs, which I will estimate at an overall lifetime cost of USD/EUR 1000 each, and an useful lifetime of 2 years. (This is on the low side.) Disregarding downtime, the machine can then break

     N = 63*10^9 * 3600 * 24 * 365 * 2 ~ 4*10^18

passphrases for EUR/USD 25k. That is one 62 bit passphrase hashed once with SHA1 for EUR/USD 25k. Note that as this can be parallelized, it can be done faster than 2 years with several of these machines.

For plain dm-crypt (no hash iteration) this is it. This gives (with SHA1, plain dm-crypt default is ripemd160 which seems to be slightly slower than SHA1):

    Passphrase entropy  Cost to break
    60 bit              EUR/USD     6k
    65 bit              EUR/USD   200K
    70 bit              EUR/USD     6M
    75 bit              EUR/USD   200M
    80 bit              EUR/USD     6B
    85 bit              EUR/USD   200B
    ...                      ...

For LUKS, you have to take into account hash iteration in PBKDF2. For a current CPU, there are about 100k iterations (as can be queried with ”cryptsetup luksDump”.

The table above then becomes:

    Passphrase entropy  Cost to break
    50 bit              EUR/USD   600k
    55 bit              EUR/USD    20M
    60 bit              EUR/USD   600M
    65 bit              EUR/USD    20B
    70 bit              EUR/USD   600B
    75 bit              EUR/USD    20T
    ...                      ...

Recommendation:

To get reasonable security for the next 10 years, it is a good idea to overestimate by a factor of at least 1000.

Then there is the question of how much the attacker is willing to spend. That is up to your own security evaluation. For general use, I will assume the attacker is willing to spend up to 1 million EUR/USD. Then we get the following recommendations:

Plain dm-crypt: Use > 80 bit. That is e.g. 17 random chars from a-z or a random English sentence of > 135 characters length.

LUKS: Use > 65 bit. That is e.g. 14 random chars from a-z or a random English sentence of > 108 characters length.

If paranoid, add at least 20 bit. That is roughly four additional characters for random passphrases and roughly 32 characters for a random English sentence.

The FAQ was edited about a month ago (as of June 17, 2015) so it should be relatively up to date. However, advances in attacks on encryption can occur without warning so use this information at your own risk. I do appreciate the FAQ answering what seems like a question that most people elide over.

PS: There are organizations that love to find encrypted USB drives in their facilities. Think of it as digital littering.

Or you can pick an encrypted USB drive with a > 100 bit key from a punch bowl at a USB drive swapping party to carry on your person and truthfully report that you don’t know the key, nor who does.

Enjoy!

Stegoloader: A Stealthy Information Stealer by Dell SecureWorks Counter Threat Unit™ Threat Intelligence.

Summary:

Malware authors are evolving their techniques to evade network and host-based detection mechanisms. Stegoloader could represent an emerging trend in malware: the use of digital steganography to hide malicious code. The Stegoloader malware family (also known as Win32/Gatak.DR and TSPY_GATAK.GTK despite not sharing any similarities with the Gataka banking trojan) was first identified at the end of 2013 and has attracted little public attention. Dell SecureWorks Counter Threat Unit(TM) (CTU) researchers have analyzed multiple variants of this malware, which stealthily steals information from compromised systems. Stegoloader’s modular design allows its operator to deploy modules as necessary, limiting the exposure of the malware capabilities during investigations and reverse engineering analysis. This limited exposure makes it difficult to fully assess the threat actors’ intent. The modules analyzed by CTU researchers list recently accessed documents, enumerate installed programs, list recently visited websites, steal passwords, and steal installation files for the IDA tool.

A bit more of the analysis from the post:

Stegoloader’s deployment module downloads and launches the main module; it does not have persistence. Before deploying other modules, the malware checks that it is not running in an analysis environment. For example, the deployment module monitors mouse cursor movements by making multiple calls to the GetCursorPos function. If the mouse always changes position, or if it does not change position, the malware terminates without exhibiting any malicious activity.

In another effort to slow down static analysis, most of the strings found in the binary are constructed on the program stack before being used. This standard malware technique ensures that strings are not stored in clear text inside the malware body but rather are constructed dynamically, complicating detection and analysis.

Before executing its main function, Stegoloader lists the running processes on the system and terminates if a process name contains one of the strings in Table 1. Most of the strings represent security products or tools used for reverse engineering. Stegoloader does not execute its main program code if it detects analysis or security tools on the system.

Pay particular attention to the use of “standard malware” in this and other posts. You won’t impress your management or other IT folks by proclaiming a vulnerability to be “zero-day” or “state enterprise malware,” only to find that it is a standard technique of hackers everywhere.

Stegoloader is reported to be the third malware family to use digital steganography.

Great read! Well, if you like reading about the details of malware anyway.

PS: Do you think the digital steganography techniques discussed would be useful for transmission of smallish topic maps that are dynamically constructed and that are destroyed when an application exits? That is no text version of the topic map for search or copying by unfriendly forces?

Given the reported storage of “smart” phones, etc. searching all the images and applying all the possible transforms could take a while. (Read “heat death of the universe.”) Come to think of it, while the topic map concealed in digital steganography is on your phone, you could access a website that supplies the key to unlock the map. On lose of connection or termination, the map simply disappears.

It would always be available, assuming you go to the correct site but just out of the reach of nosy neighbors and others.

Something like “Now You Don’t” (NYD) for a product name I think. Yes?

I don’t think the NYPD has any time on:

Rank	Site	System
1	National Super Computer Center in Guangzhou, China	Tianhe-2 (MilkyWay-2)
2	DOE/SC/Oak Ridge National Laboratory, United States	Titan
3	DOE/NNSA/LLNL, United States	Sequoia – BlueGene/Q
4	RIKEN Advanced Institute for Computational Science (AICS), Japan	K computer
5	DOE/SC/Argonne National Laboratory, United States	Mira
6	Swiss National Supercomputing Centre (CSCS), Switzerland	Piz Daint
7	Texas Advanced Computing Center/Univ. of Texas, United States	Stampede
8	Forschungszentrum Juelich (FZJ), Germany	JUQUEEN
9	DOE/NNSA/LLNL, United States	Vulcan
10	Government, United States	Cray CS-Storm

the top ten (10) systems as of November 2014.

The images need to resist decryption, at a minimum, until you can make bail. Properly done, I suspect your images, concealing a topic map, could resist decryption for far longer than that. (That is a suspicion, not a warranty.)

Perhaps the most amusing part of such an approach would be to use campaign images from candidates for public office in the five boroughs as the only images on the phone. Even the most dedicated officers would tire of looking at that rogues gallery. 😉

From: 2015 State of the Endpoint Report: User-Centric Risk

Negligent or careless employees are the #1 threat. OK, but except for malware, the rest of the choices focus on network technologies, all of which are insecure to varying degrees.

What two (2) threats are almost as big as #1 but aren’t listed here?

What about email and web browsers? Aren’t those typical vectors used to gain entry to endpoints?

Avoiding Phishing, Enterprise Wide

Imagine if your email server was configured to reject all email that does not originate from (yourcompany).com. How many phishing emails do you think management down to the least person with an email account would get in their daily email? Moreover, I assume you have control over email clients and no email can reach an employees computer without passing through your email server. Yes?

By taking control of incoming email, you can greatly reduce the risk of phishing emails and other insecurities being introduced into your network. No communication from off-site is ever 100% safe but reducing the amount of communication reduces your risk.

Avoiding Malicious Websites, Enterprise Wide

A large number of enterprises rely upon firewalls on a daily basis but given the prevalence of malicious websites, either firewalls are not used widely enough or not configured properly.

Reducing your risk from web browsers could be an exercise in big data for your IT staff. Start tracking the web traffic from all browsers in your enterprise and over a period of months you can build up a white-list of URLs for particular department. Assuming that you purge the white-list of sites irrelevant to that department’s function, as approved by its manager, implement that as a white-list in your firewall. (I assume you are going to check to make sure the sites on the white-list are not themselves malicious.)

That avoids you guessing what is useful for particular departments and enables you to avoid all manner of hazards, such as music download sites, etc.

It would take more effort than securing email but would greatly reduce yet another attack vector.

If anyone protests that they need unfettered access to the Internet, supply them with a standalone machine that is outside of the firewall with its drives, USB ports, etc. all glued shut. To avoid attempts at data transfer from outside of your firewall to inside your firewall. (I would assume that gluing all such access points shut was routine but the Snowden and Manning proved otherwise.)

Summary

If you float either of these proposals in your enterprise, be prepared for push-back. Users think they have some vested interest in making poor decisions with regard to your network security. Management encourages that by not focusing on the people problem that lies at the root of most security breaches, preferring instead to dream of pie-in-the-sky technology answers.

Perhaps shareholders should become aware of such recommendations when management is attempting to explain away its latest major data breach, post your making the recommendations.

PS: Users who insist on being security risks should be enabled to become security risks, for some other enterprise. Cybersecurity, liability is coming.

Cyberspace Law: Cases & Materials, Third Edition

From the post:

Early adopters of Cyberspace Law: Cases and Materials were particularly pleased by how flexible, coherent, and practical the book is. Now strengthened and scrupulously updated for its Third Edition, this engaging casebook can help your students understand one of the most dynamic areas of law.

Written and structured for maximum effectiveness, the book:
– Can be used successfully in both introductory and advanced courses;
– Uses practical, classroom-tested “real world” problems to help students apply existing rules to cyberspace law;
– Features a flexible, logical organization that allows instructors to emphasize selected perspectives;
– Is designed for currency, with materials organized around competing approaches and theories for any given issue, rather than current leading cases;
– Presents current Internet law as well as related policy concerns that will drive future legal analysis when new issues emerge — the only casebook to address both areas. Offers a balanced presentation of competing approaches and theories for each issue;
– Provides a sophisticated analysis of cutting-edge legal issues through an excellent selection of cases;
– Remains up-to-date with postings of new cases and important developments on the author website.

Look for these important changes in the Third Edition:
– New co-author Jacqueline Lipton, who brings significant teaching and writing experience in the areas of international and comparative law;
– New and updated cases, including: Grokster, ACLU v. Ashcroft, U.S. v. American Library Association, Chamberlain v. Skylink, Lexmark v. Static Control Components, U.S. v. Elcomsoft, 321 Studios v. MGM Studios, Kremen v. Cohen, Blizzard v. Bnet In re Verizon, Bosley v. Kremer, and People for the Ethical Treatment of Animals v. Doughney;
– Treatment of important developments, such as political cybersquatting legislation enacted in some states (for example, California's Political Cyberfraud Abatement Act) and changes to privacy laws enacted following the Patriot Act;
– Greatly expanded international coverage, including new international cases: Sony v. Stevens, Telstra v. Desktop, Gutnick v. Dow Jones;
– Recent Canadian cases on Internet defamation issues;
– Decisions from the European Court of Justice interpreting the database directive in 2004, including the appeal in British Horseracing Board v. William Hill;
– Various developments between French and Californian courts in Yahoo litigation regarding Nazi memorabilia as well as domestic legislation implemented by all E.U. member states which complies with the requirements of the Copyright Directives;
– New section on the failed effort at private self-governance sponsored by ICANN and the scholarship surrounding that effort;
– Jurisdictional materials in the chapter on Regulating Cyberspace are consolidated for easier teaching and learning;
– Updated problems and notes.

When you consider casebooks for your next course, be sure to examine Cyberspace Law: Cases and Materials, Third Edition, the cohesive, realistic, and accessible alternative.

Useful if you are in law school, practicing cyberspace law or if you are risk adverse.

Otherwise, remember: The law is a thumb on the scale of justice, for one side or another.

The image is from TexasWatch.org.

White House Tells Agencies To Tighten Up Cyber Defenses ‘Immediately’ by Aliya Sternstein.

The steps Aliya reports start off strong enough..

U.S. Chief Information Officer Tony Scott “recently launched” what officials are calling a 30-day cybersecurity sprint.

According to White House officials, the emergency procedures include:

“Immediately” deploying so-called indicators, or tell-tale signs of cybercrime operations, into agency anti-malware tools. Specifically, the indicators contain “priority threat-actor techniques, tactics and procedures” that should be used to scan systems and check logs.

Patching critical-level software holes “without delay.” Each week, agencies receive a list of these security vulnerabilities in the form of DHS Vulnerability Scan Reports.

Tightening technological controls and policies for “privileged users,” or staff with high-level access to systems. Agencies should cut the number of privileged users; limit the types of computer functions they can perform; restrict the duration of each user’s online sessions, presumably to prevent the extraction of large amounts of data; “and ensure that privileged user activities are logged and that such logs are reviewed regularly.”

Dramatically accelerating widespread use of of “multifactor authentication” or two-step ID checks. Passwords alone are insufficient access controls, officials said. Requiring personnel to log in with a smartcard or alternative form of ID can significantly reduce the chances adversaries will pierce federal networks, they added, stopping short of mandating multi-step ID checks.

Agencies must report on progress and problems complying with these procedures within 30 days.

… but end with a whimper.

If you recall, OPM doesn’t have the IT staff, interest or even a complete list of its IT assets, not to mention this activity will conflict with other agency goals. U.S. Was Warned of System Open to Cyberattacks

How quickly do you think OPM will be able to take any of the steps Aliya outlines?

I’m betting on the government cybersecurity sprint being a multi-year egg roll.

You?

The US Navy wants to buy your zero-day vulnerabilities by Graham Cluley.

Graham reports on a solicitation from the Department of the Navy for zero-day vulnerabilities. The solicitation has been removed but Dave Maass preserved a copy here.

From the solicitation:

70­­-Common Vulnerability Exploit Products
Solicitation Number: N0018915T0245
Agency: Department of the Navy
Office: Naval Supply Systems Command
Location: NAVSUP Fleet Logistics Center Norfolk

…

The vendor shall provide the government with a proposed list of available vulnerabilities, 0­day or N­day (no older than 6 months old). This list should be updated quarterly and include intelligence and exploits affecting widely used software. The government will select from the supplied list and direct development of exploit binaries.

…

The vendor shall accept vulnerability data to include patch code, proof of concept code, or analytic white papers from the government to assist with product development. Products developed under these conditions will not be available to any other customer and will remain exclusively licensed to the government.

…

Documentation of technical expertise must be presented in sufficient detail for the Government to determine that your company possesses the necessary functional area expertise and experience to compete for this acquisition.

I understand the solicitation has now been removed from the FedBizOpps.gov site. I checked with the solicitation number and that appears to be true.

Perhaps the GSA is going to issue a more general solicitation on behalf of all government agencies.

The only odd thing I noticed in the solicitation was the exclusive license to the government of any exploit. Certainly possible but that put push the cost up several times over.

There are already private exchanges for vulnerabilities but operate in the shadows so it isn’t an efficient market. Congress should de-criminalize vulnerability exploits (unless used) so there can be an open market in vulnerabilities. Vendors and the government can compete alongside others in such a market.

One advantage to such a market is the vulnerability hunters could make a legitimate living from the sale of the fruits of their labors. Less temptation to engage in unsavory activities.